Re: [PATCH] netfilter: support for element deletion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ander Juaristi <a@xxxxxxxxxxxx> wrote:
> This patch implements element deletion from ruleset.
> 
> Example:
> 
> 	table ip set-test {
> 		set testset {
> 			type ipv4_addr;
> 			flags timeout;
> 		}
> 
> 		chain outputchain {
> 			policy accept;
> 			type filter hook output priority filter;
> 
> 			delete @testset { ip saddr }
> 		}
> 	}

Care to add a test case for this?
Thanks.

Also:

src/nft --debug=netlink list ruleset
ip set-test outputchain 3
  [ payload load 4b @ network header + 12 => reg 1 ]
  [ dynset unknown reg_key 1 set testset timeout 0ms ]

so this is missing a small libnftnl patch too.
Also wonder why this prints 'timeout 0ms'.  Can you investigate?

libnftnl should only print it if the attribute is set so we can
tell if the timeout is 0ms or if no timeout was set.

I've tested nft+kernel patch and I see ip saddr gets deleted again from
the set when i add an enty via 'nft add element',

So functionality-wise both the userspace and kernel space patches
are good.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux